[Openswan Users] Is rightsubnet always required for subnet-subnet connections?

Kevin Locke kevin at kevinlocke.name
Fri Mar 11 20:20:59 EST 2011 

Hello All,

I am attempting to setup subnet-to-subnet connections where both sides
are using OpenSwan, both sides are gateway computers with a single
public IP and a (separate) private subnet for which they NAT,
connecting to each other via public addresses and passing traffic for
the entire subnet.

There is a single "central" subnet to which many other subnets will be
connecting.  I would like to provide administrative freedom to the
connecting subnets and minimize the configuration required on the
central subnet; ideally by allowing connections from any certificate
issued by the central CA regardless of address/subnet.  (Let me know
if this configuration is stupid.)

The following configuration works:
# Used on central server
config setup
	nat_traversal=yes
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:!10.0.0.0/24
	protostack=netkey

conn testconn-central
	authby=rsasig
	left=x.x.x.x
	leftsourceip=10.0.0.2
	leftsubnet=10.0.0.0/24
	leftcert=central.pem
	leftid=%fromcert
	leftrsasigkey=%cert
	right=%any
	rightsubnet=192.168.42.0/24
	rightca=%same

# Used on guest servers
config setup
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:!192.168.42.0/24
	protostack=netkey

conn testconn-guest
	authby=rsasig
	left=x.x.x.x
	leftsubnet=10.0.0.0/24
	leftrsasigkey=%cert
	leftcert=central.pem
	right=y.y.y.y
	rightsourceip=192.168.42.1
	rightsubnet=192.168.42.0/24
	rightrsasigkey=%cert
	rightcert=guest-y.pem

I would like to remove the rightsubnet= parameter from
testconn-central so that I would not have to update the configuration
any time a guest network is added/removed/changed.  However, if I do,
the connection fails in STATE_MAIN_R3/STATE_QUICK_I1 with the
following message on the central server:

pluto[xxxxx]: "testconn-central"[2] y.y.y.y #1: cannot respond to IPsec SA request because no connection is known for 10.0.0.0/24===x.x.x.x<x.x.x.x>[CN=central,+S=C]...y.y.y.y[CN=guest-y,+S=C]===192.168.42.0

Am I doing something wrong?  Is this not possible/supported/suggested?
I'd appreciate any thoughts you have.

-- 
Cheers,      |  kevin at kevinlocke.name   | JIM:  kevinoid at jabber.org
Kevin        |  http://kevinlocke.name  | IRC: kevinoid on freenode

More information about the Users mailing list